1. Field of the Invention
The present invention relates to communication network security and, more particularly, to a method for detecting anomalies in a control network, which can be used to detect anomalies that cannot be detected using measures known from the prior art.
2. Description of the Related Art
The linking of a large number of computers and local networks to form a worldwide network (the Internet) in recent decades has greatly enhanced the effectiveness and user-friendliness of numerous processes in business, government and private sectors. Unfortunately, the increasing complexity of the applications has also meant a huge rise in the number of inherent errors and vulnerabilities, which allow malevolent third parties to abuse such systems for their own purposes. Although manufacturers try increasingly to reduce such vulnerabilities at an early stage during software development implementing appropriate programming techniques and quality assurance processes, and to eliminate them as soon as possible once they have become known, every year the number of vulnerabilities becoming known in IT systems continues to increase.
IT-based monitoring and control systems, generally also known as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) or energy management systems (EMS), are in the meantime also being used in many technical units, such as industrial units, factories and power plants, for power, water and gas distribution as well as oil and gas pipelines. In the past, these systems differed from conventional IT systems in that they were operated in total isolation in physically protected areas and in particular often used communication protocols not normally used in the IT environment. A high level of reliability is the highest priority here. Fast response times in the region of milliseconds are essential for communication between field devices (e.g., for protection functions for energy transportation and distribution). In contrast to the IT environment information, security was of lower priority, as such automation networks were already intrinsically secure or were not connected to insecure networks.
Such systems are now increasingly also connected to other networks to form a comprehensive control network to achieve greater increases in efficiency. Thus, for example, a manufacturing control system (MCS) is connected to a manufacturing execution system (MES) and this (or both) is/are in turn connected to an enterprise resource planning (ERP) system, which is one of the company's office software applications. Technical units at different sites communicate over leased lines or even completely public networks. Access is set up for the remote maintenance of units. Information from public networks (e.g., time, weather forecast or raw materials prices from the supplier) can even form part of the operation of a technical unit.
Increasing networking gives rise to control networks that are easier to attack, because the intrinsic protection resulting from the isolation of the individual systems is increasingly absent. As in the conventional IT environment, there is then an increasing need to update unit parts in respect of security and keep them updated. However, this continual updating is often not possible, because corresponding corrections or patches (if available) cannot be loaded during ongoing operation, if they require the respective systems to be restarted. Maintenance breaks are also often not adequate for this purpose, because other work has to be performed during these periods. Consequently, even known security vulnerabilities are not eliminated from control networks over a number of years. The deployment of virus scanners is also problematic, because when deployed they can have a seriously adverse effect on unit control due to performance impairment as a result of the scanning devices and also due to the blocking of files and programs identified (in some instances incorrectly) as harmful.
The closest possible monitoring of a control network of a technical unit, i.e., for network-based attacks, is therefore essential to be able to institute appropriate timely measures and to avoid downtime of the technical unit with in some instances serious consequences for people, equipment and the environment.
A control network is used, depending on the technical unit in question, for control and monitoring purposes in industrial and building automation. In industrial automation control networks control, for example, factories or power plants as well as power, water or gas distribution and they are also used for oil and gas pipelines.
Until now, control networks have rarely been monitored in respect of security; reliance is usually still placed on the (presumed) isolation of the control network in respect of production control and a lack of knowledge of corresponding protocols and devices on the part of potential attackers, who generally come from the traditional IT environment. With the increasing connection of networks, however, the growing experience of attackers and their increasing motivation and commercial potential, this strategy is becoming less and less successful.
Intrusion in a control network can be detected using a conventional intrusion detection system (IDS), as long as the attack or interference is still ongoing.
The most widely used intrusion detection systems (e.g., SNORT) mainly operate in a signature-based manner. Such signatures have to be generated in a complex manner to detect individual attacks. When an installed intrusion detection system is configured, the patterns of relevant attacks have to be selected and made known to the intrusion detection system, for example, as a configuration file. As soon as new vulnerabilities become known or attacks on already known vulnerabilities are modified, new signatures have to be generated and the intrusion detection system configuration file has to be extended correspondingly.
Other known traffic analysis approaches detect scanning and flooding attacks based on major changes in traffic volume in the Transmission Control Protocol/Internet Protocol (TCP/IP) layer.
All the above-mentioned and further measures (e.g., firewalls, application gateways, DMZ, security cells) are suitable for protecting the control network. However, there is little protection for the actual technical unit, if the control network has already (as always) been corrupted and taken over. It is then possible to collect detailed information about unit processes with regular commands. The technical unit can then be removed from control by adjusting actuators.